New Ransomware Discovered: BadBlock and DMA Locker 4.0

Latest reports have uncovered a new ransomware strain called BadBlock targeting home users through malicious URLs and email attachments. Security firm Malwarebytes have also reported that DMA Locker has been updated with automated as well as command and control (C&C) protocols, using the Neutrino exploit kit to distribute the malware.

BadBlock in on the Block

This newcomer to the ransomware circle has been reported to be infecting individual home users through URLs that has malicious Javascript or drive-by exploit kits from fake Adobe Flash Player updates. Users can also get infected through spam emails carrying attachments such as archive, HTML and .exe files posing as legitimate applications. Users can also be affected by clicking on spam links such as those spread on website comment sections and 'shares' from infected social media accounts.

It changes the computer’s wallpaper to a red lock screen and grabs the victim’s attention with the caption, “Badblock in on the block!” It claims that the user’s files have been encrypted using RSA algorithm, an asymmetric cryptographic algorithm that uses two different keys (public and private) commonly used to transmit data securely.

After rendering the files inaccessible, BadBlock demands a ransom of two bitcoins (or $900, according to the ransom note). The user is also provided with help links on how to buy bitcoins and how to transfer them to the attacker's account.

The ransom note further explains that the decryption process will only start upon verification of payment, which it says can take up to two hours. It also warns, “If your anti-virus gets updated and remove BadBlock automatically, even if you pay the ransom, it will not be able to recover your files!”

DMA Locker (detected by Trend Micro as RANSOM_MADLOCKER.B) arrives on the system as a file dropped by other malware through spam email, or as a file downloaded and opened unsuspectingly by users visiting compromised websites. The ransomware encrypts files on fixed, removable and network drives, and contains undefined blacklisted paths potentially related to system stability.

Upon execution the malware checks processes and applications used for backing up data such as System Restore and terminates them. After encrypting the files, DMA Locker will show a red lock screen instructing victims to pay two bitcoins (around $895 as of May 24, 2016) to decrypt the files. The ransom note will also be saved in the system's Program Data folder and will be shown every time the user logs into the system.

DMA Locker was first reported last January and was found to be able to encrypt almost all of non-system and non-executable files it can find on the infected computer. Like BadBlock, it does not add an extension to the encrypted file but instead adds a prefix in the header of an encrypted file so the malware can identify it as such.

When it was first discovered, DMA Locker was decryptable due to flaws in the malware’s code. On the other hand, it has been reported to crash before the ransom note can be sent to the victim, so users can end up with inoperable systems and corrupted files without knowing that the ransomware was the culprit. The second and third versions of the malware, uncovered last February, fixed the bugs in its cryptography implementation and added RSA key and key validation.

Analyst Hasherzade from security firm Malwarebytes noted that its latest iteration, DMA Locker 4.0, introduces a communication protocol with its command and control server (C&C) where unique RSA keys are downloaded and victim IDs are generated and registered. It was also found to be using the Neutrino exploit kit to distribute the malware besides being manually deployed by the attackers.

The Neutrino toolkit (detected by Trend Micro as JAVA_EXPLOYT.NEU) exploits vulnerabilities in the components of Oracle’s Java Runtime Environment. It has been reported to be available on the online black market, where cybercriminals can rent the toolkit for $40 per day and $450 per month.

A building consultancy firm in the UK was the latest victim of this ransomware, encrypting the files of the computer it first infected before laterally moving and affecting the attached network drives. And while DMA Locker typically demanded one or two bitcoins, the attacker demanded $9,500, suggesting that the attack was targeted.

Hasherzade added, “The recently observed changes suggest that the product is preparing to be distributed on a massive scale. Few important things got automated. Distribution is now exploit kit-based—that makes it reach much more targets. Purchasing a key and managing payment is supported via dedicated panel,” and human interaction is no longer required.

DMA Locker was also integrated as one of the payloads in the most recent zero-day vulnerability in Adobe Flash Player, along with banking malware and other ransomware strains CryptXXX and Cerber.

Like in all cases of ransomware, there is no guarantee that paying the ransom will translate to a decrypt key or unlock tool. This is what happened to Kansas Heart Hospital when they were not given access to their files and network even after paying the ransom, and was even extorted a second time.

In DMA Locker 4.0’s case, victims were instructed to visit a normally hosted website and offered to unlock a file for free, most likely to make the promise of actually decrypting the files seem more legitimate. However, Hasherezade’s test indicated that the service was not properly working and that they did not get any file back despite successfully uploading and submitting the file for decryption.

The same can be said about BadBlock, which offers no assurances after paying the ransom. Its ransom note further says, “You only one choice to recover your files: pay the ransom. We have no interest in keeping your files locked for any reason. So right now, just rely on us and everything will be fine.”

Update: June 2, 2016

A report from security expert Lawrence Abrams noted that the BadBlock ransomware not only encrypts the user’s data files, but also executables, including Windows system files. Victims are consequently left with inoperable machines as the files needed to start the computer are encrypted.

It was also noted that unlike other ransomware variants, BadBlock displays the ransom note during its encryption process. Users affected by the malware need only go to Windows’ Task Manager and terminate the badransom.exe process to stop the encryption process.

Fabian Wosar from security firm Emsisoft has also released a decrypter tool for the ransomware, enabling victims to unlock their computers and the encrypted files for free.

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions